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TO: 


EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 

WASHINGTON. D.C. 20503 

September 17, 1985 

LEGISLATIVE REFERRAL MEMORANDUM 

Department of Defense - Werner Windus (697-1305) 
General Services Administration -^Ted floert (566-1250) 
Central Intelligence Agency- 
National Security Council 


tT- 


* L 



SUBJECT: Oottinerce (main Corinerce) testimony on H.R. 2889, "Computer Research 
and Training Act of 1985" 


The Office of Management and Budget requests the views of your 
agency on the above subject before advising on its relationship to 
the program of the President, in accordance with Circular A-19. 

Please provide us with your views no later than 

3; 30 P.M. TCXlRY SEPTEMBER 17, 1985 

Direct your questions to Gregory Jones ^ office. 



[stant Director for 
Legislative Reference 


Enc losures 

oc: S. Dotson 
E. Springer 
K. Sheid 
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U.S. DEPARTMENT OF COMMERCE 
STATEMENT OF MR. DOUGLAS A. RIGGS 
GENERAL COUNSEL 
BEFORE THE SUBCOMMITTEE ON LEGISLATION AND NATIONAL SECURITY 
COMMMITTEE ON GOVERNMENT OPERATIONS 
U.S. HOUSE OF REPRESENTATIVES 

SEPTEMBER IB, 19B5 



MR. CHAIRMAN AND MEMBERS OF THE COMMITTEE: 

THANK YOU FOR THIS OPPORTUNITY TO TESTIFY ON THE IMPORTANT SUBJECT 
OF COMPUTER SECURITY. I AM ACCOMPANIED BY MR. RAY KAMMER^ DEPUTY 
DIRECTOR OF THE NATIONAL BUREAU OF STANDARDS. 

MY TESTIMONY TODAY WILL CENTER ON THE COMPUTER SECURITY PROGRAM 
BEING CARRIED OUT WITHIN THE DEPARTMENT OF COMMERCE AT THE NATIONAL 
BUREAU OF STANDARDS; ON H.R. 2S89, PRESENTLY BEING CONSIDERED; ON 
THE NATIONAL SECURITY DECISION DIRECTIVE 14S; AND ON A PROPOSED 
GOVERNMENTVIDE PROGRAM IN COMPUTER SECURITY. 

PUBLIC LAW 89-506 ESTABLISHED THE ROLES OF SEVERAL ORGANIZATIONS 
FOR IMPROVING THE UTILIZATION OF COMPUTERS WITHIN THE FEDERAL 
GOVERNMENT. THE DEPARTMENT OF COMMERCE DELEGATED ITS ROLE OF 
DEVELOPING FEDERAL INFORMATION PROCESSING STANDARDS FOR IMPROVING 
THE EFFECTIVE USE OF COMPUTERS TO THE NATIONAL BUREAU OF STANDARDS 
CNBS>. THE PRESIDENT HAS DELEGATED HIS AUTHORITY TO ISSUE THE 
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fEOERAL INFORMATION PROCESSING STANDARDS TO THE SECRETARY OF 
COMMERCE. 


THE INSTITUTE FOR COMPUTER SCIENCES AND TECHNOLOGY NAS ESTABLISHED 
WITHIN NBS TO CARRY OUT THIS LEGISLATIVE MISSION. THE INSTITUTE 
ESTABLISHED A COMPUTER SECURITY PROGRAM IN 1973. THE TESTIMONY OF 
MR. BURROWS, DIRECTOR OF THIS INSTITUTE, OUTLINES THE ACHIEVEMENTS 

OF THIS PROGRAM. 

THE PROPOSED -COMPUTER SECURITY RESEARCH AND TRAINING ACT OF 1985" 
ENHANCES THE ROLE OF THE NATIONAL BUREAU OF STANDARDS IN 
COMPUTER SECURITY. THE CURRENT NBS SECURITY PROGRAM EMPHASIZES 
THE DEVELOPMENT OF TECHNICAL AND ADMINISTRATIVE METHODS FOR 
PROTECTING THE INTEGRITY, CONFIDENTIALITY AND AVAILABILITY OF 
COMPUTER DATA. NBS NOW RELIES ON THE RESEARCH AND DEVELOPMENT 

efforts of other government entities, primarily the department of 

DEFENSE. THE BREADTH OF THE NBS COMPUTER SECURITY PROGRAM AND THE 
UTILITY OF THE RESULTING STANDARDS AND GUIDELINES HAS BEEN 
recognized, the TECHNICAL DEPTH OF THE RESEARCH PROGRAM OF THE 

department of defense promises significant results in specialized 

TECHNICAL AREAS. APPROPRIATE TECHNOLOGY HAS BEEN TRANSFERRED FROM 
THE RESEARCH PROGRAM OF THE DEPARTMENT OF DEFENSE TO THE NATIONAL 
BUREAU OF STANDARDS BUT THERE HAS EXISTED NO INDEPENDENT RESEARCH 
ACTIVITY OF SUFFICIENT SCOPE TO SUPPORT THE SECURITY PROGRAMS 
SOUGHT BY MANY NON-DOO ORGANIZATIONS AND ACTIVITIES. THE 
DEPARTMENT OF COMMERCE ENDORSES THE PROVISIONS OF THE BILL THAT 
WOULD ESTABLISH THE NEEDED COMPUTER SECURITY RESEARCH PROGRAM AT 
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THE NATIONAL tUREAU OF STANDARDS AND THAT WOULD ADDRESS THE 
PROiLEMS IN COMPUTER SECURITY THAT ARE NOT RE INC ADEQUATELY 
ADDRESSED TODAY. 

I WOULD NOW LIKE TO PRESENT OUR VIEW OF THE NSDD 1A5. THE 
DIRECTIVE STATES A SET OF REQUIREMENTS FOR PROTECTING CLASSIFIED 
NATIONAL SECURITY INFORMATION AND OTHER SENSITIVE INFORMATION 
CONCERNING THE VITAL INTERESTS OF THE UNITED STATES. IT THEN 
ESTABLISHES AN ADMINISTRATIVE MECHANISM FOR ACHIEVING THE COALS OF 
THIS PROTECTION PROGRAM. THE DIRECTIVE SPECIFICALLY STATES, 
"NOTHING IN THIS DIRECTIVE AMENDS OR CONTRAVENES THE PROVISIONS OF 
EXISTING LAW, EXECUTIVE ORDERS, OR PRESIDENTIAL DIRECTIVES WHICH 
PERTAIN TO THE PRIVACY ASPECTS OR FINANCIAL MANAGEMENT OF 
AUTOMATED INFORMATION SYSTEMS OR TO THE ADMINISTRATIVE REQUIRE- 
MENTS FOR SAFEGUARDING SUCH RESOURCES AGAINST FRAUD, ABUSE AND 
WASTE." AS THIS HAS BEEN THE THRUST OF THE COMPUTER SECURITY 

Program at the national bureau of standards, we see no change, 

OTHER THAN A REQUIREMENT FOR COORDINATION, DUE TO THE DIRECTIVE. 

WE FEEL THAT THE PROVISIONS OF THE PROPOSED LEGISLATION, THE 
EXISTING LEGISLATION AND THE DIRECTIVE ARE CONSISTENT. 

I WOULD NOW LIKE TO OUTLINE WHAT WE SEE AS THE NEXT STEPS TO 
IMPROVE THE GOVERNMENTW I DE COMPUTER SECURITY PROGRAM. FIRST THE 
PROPOSED H.R. 28S9 SHOULD BE PASSED AFTER A FEW CUR I FY I NO 
CHANGES. 


Sanitized Copy Approved for Reiease 2010/04/06 : CIA-RDP87M01 152R001 101350040-2 



•«»- 



SECOND, FOLLOWING PASSAGE OF THE CLARIFIED BILL, A MEMORANDUM OF 
UNDERSTANDING SHOULD BE ESTABLISHED BETWEEN THE NATIONAL MANAGER 
FOR TELECOMMUNICATIONS AND AUTOMATIC INFORMATION SYSTEMS SECURITY 
(ESTABLISHED BY NSDD INS) AND THE DIRECTOR, NATIONAL BUREAU OF 
STANDARDS, DELINEATING THE RESPONSIBILITIES OF EACH PARTY IN 
JOINTLY FULFILLING THEIR COMPUTER SECURITY ASSIGNMENTS. i 

I 

FINALLY, WE BELIEVE THAT A JOINT RESEARCH PROGRAM IN COMPUTER 
SECURITY IS WORKABLE AND DESIRABLE. THE DEPARTMENT OF DEFENSE 
WOULD FOCUS ON NATIONAL SECURITY AND THE DEPARTMENT OF COMMERCE ON 
CIVIL CONCERNS SUCH AS ELECTRONIC FUNDS TRANSFER. THE EFFORTS 
WOULD BE COORDINATED FOR PROGRAM EFFECTIVENESS AND TO AVOID 
DUPLICATION. 

i 

THANK YOU. I AM AVAILABLE TO ANSWER ANY QUESTIONS THAT YOU MAY 
HAVE. 
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